5.3
CVE-2026-45554
- EPSS 0.34%
- Veröffentlicht 02.06.2026 15:35:07
- Zuletzt bearbeitet 02.06.2026 17:15:44
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerzauberzeug
≫
Produkt
nicegui
Version
< 3.12.0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.259 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-248 Uncaught Exception
An exception is thrown from a function, but it is not caught.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6